Osram Fixes Flaws in Lightify Connected Light Bulbs

Rapid7 researchers found critical flaws in Osram Lightify connected bulbs and the Zigbee wireless protocol used to control them. Osram fixed most of the flaws.

Among the popular emerging use cases for the internet of things is connected lightbulbs that users can control remotely. New research disclosed July 26 by security vendor Rapid7 reveals that it discovered numerous flaws in the Osram Lightify product lineup, which could have exposed users to risk. The company fixed most of the flaws in a patch update.
Rapid7 found nine issues affecting the Home and Pro version of the Osram Lightify products. Among the vulnerabilities is CVE-2016-5051, a network WiFi password vulnerability. Rapid7 found that the mobile application for Lightify Home saved the user's WiFi password as clear text.
"Based on my personal experience of testing mobile applications over a number of years, it is very common to see this type of vulnerability—where mobile applications are storing passwords, in clear text," Deral Heiland, research lead at Rapid7, told eWEEK.
Another flaw Rapid7 identified is CVE-2016-5053, which enables users on the local network to get access without a password. Rapid7 often finds home automation technology deployed in small businesses or offices, and if these internet of things (IoT) technologies are deployed on networks, there is a shared risk of abuse and compromise becomes more critical, Heiland said.

"The ability to reconfigure a device over the network without any form of authentication is a security design flaw that needs to be avoided," he said.

The way the Osram Lightify connected bulbs communicate is over the ZigBee wireless protocol. One of the vulnerabilities Rapid7 discovered is a ZigBee network command replay attack (CVE-2016-5054). According to Rapid7's advisory, it is possible for a malicious actor to capture and replay the Zigbee communication at any time, and replay those commands to disrupt lighting services without any other form of authentication.
Monitoring, capturing and replaying ZigBee communication is easily done using a RZUSBSTICK and Killerbee project code, Heiland explained.
Osram Lightify bulbs can also work on non-Lightify hubs and with third-party mobile apps. For example, it's possible to run Lightify bulbs on a Belkin WeMo link, with the WeMo mobile app. For Lightify bulbs running on non-Lightify hubs and apps, users could still be at risk potentially from flaws in ZigBee, which could allow commands to turn lights on and off, to be vulnerable to a replay attack, Heiland said.
"From the perspective of a home user, the risk is very low, and attackers would most likely leverage the vulnerability as form of harassment," Heiland said.
To find the flaws in the Osram Lightify products, Rapid7 assessed the embedded device, mobile applications, cloud API, network communications (Ethernet, WiFi, ZigBee), firmware and code, where possible. To analyze Osram Lightify, the products were installed and tested in a full functioning environment so the complete ecosystem could be analyzed.
Osram has patched most of the security flaws that Rapid7 found.
Heiland commented that Osram's response to Rapid7's finding was very positive. "I worked closely with Osram during the testing of the Lightify Pro version, and they were very helpful and cooperative during the whole process," Heiland said. "Without their help, it would have been difficult to conduct a thorough evaluation of the Lightify Pro devices security."
Overall, Heiland emphasized that his goal in disclosing the issues with Osram Lightify is to build further awareness for manufacturers of IoT devices, and to help educate consumers of these devices.
"My hope is that future and current vendors will improve their security features, and we can avoid these types of attacks becoming a real issue for the home owners and businesses that utilize these solutions," Heiland said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.